Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.mortbay.jasper\apache-el\8.5.70\e280d60a1b02f85babcc20ed53d603def113f853\apache-el-8.5.70.jar MD5: 80ac9c33ea094dceffe266414fc8f353 SHA1: e280d60a1b02f85babcc20ed53d603def113f853 SHA256:9b1c6ccfb6aa2d12a5a0b07a75ab26445445c4396a3497f9928adc6cacfae5ca Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath apache-el-8.5.70.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.mortbay.jasper\apache-jsp\8.5.70\67515d2ae96e9cb442659668b6a58423f112b5ed\apache-jsp-8.5.70.jar MD5: 6361332393675f05d67298e7ab73490a SHA1: 67515d2ae96e9cb442659668b6a58423f112b5ed SHA256:e004d2f87c6bf5abc68bc7e9b2169cec2e24d92553c39036b83edafb174372bd Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath apache-jsp-8.5.70.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
CWE-772 Missing Release of Resource after Effective Lifetime
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.
The vulnerability is limited to the ROOT (default) web application.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could
cause Tomcat to skip some parts of the recycling process leading to
information leaking from the current request/response to the next.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially
crafted, invalid trailer header could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\apache-jsp\9.4.44.v20210927\6cc73cb8ec63f2b4dabefb22e1a234d632752490\apache-jsp-9.4.44.v20210927.jar MD5: dd3d9616fea6e4ed73462ec84d1d62ee SHA1: 6cc73cb8ec63f2b4dabefb22e1a234d632752490 SHA256:c68dccc963a89f87a353fe764bcffa2a35fe8f759660449bd945d3a949e8712d Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath apache-jsp-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
apache-jsp
High
Vendor
gradle
artifactid
apache-jsp
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
apache
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
jsp
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.apache.jsp
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm\9.6\aa205cf0a06dbd8e04ece91c0b37c3f5d567546a\asm-9.6.jar MD5: 6f8bccf756f170d4185bb24c8c2d2020 SHA1: aa205cf0a06dbd8e04ece91c0b37c3f5d567546a SHA256:3c6fac2424db3d4a853b669f4e3d1d9c3c552235e19a319673f887083c2303a1 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath asm-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
artifactid
asm
Highest
Vendor
central
groupid
org.ow2.asm
Highest
Vendor
file
name
asm
High
Vendor
gradle
artifactid
asm
Highest
Vendor
gradle
groupid
org.ow2.asm
Highest
Vendor
jar
package name
asm
Highest
Vendor
jar
package name
asm
Low
Vendor
jar
package name
objectweb
Highest
Vendor
jar
package name
objectweb
Low
Vendor
Manifest
bundle-docurl
http://asm.ow2.org
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Vendor
pom
artifactid
asm
Low
Vendor
pom
developer email
ebruneton@free.fr
Low
Vendor
pom
developer email
eu@javatx.org
Low
Vendor
pom
developer email
forax@univ-mlv.fr
Low
Vendor
pom
developer id
ebruneton
Medium
Vendor
pom
developer id
eu
Medium
Vendor
pom
developer id
forax
Medium
Vendor
pom
developer name
Eric Bruneton
Medium
Vendor
pom
developer name
Eugene Kuleshov
Medium
Vendor
pom
developer name
Remi Forax
Medium
Vendor
pom
groupid
org.ow2.asm
Highest
Vendor
pom
name
asm
High
Vendor
pom
organization name
OW2
High
Vendor
pom
organization url
http://www.ow2.org/
Medium
Vendor
pom
parent-artifactid
ow2
Low
Vendor
pom
parent-groupid
org.ow2
Medium
Vendor
pom
url
http://asm.ow2.io/
Highest
Product
central
artifactid
asm
Highest
Product
file
name
asm
High
Product
gradle
artifactid
asm
Highest
Product
jar
package name
asm
Highest
Product
jar
package name
asm
Low
Product
jar
package name
objectweb
Highest
Product
Manifest
bundle-docurl
http://asm.ow2.org
Low
Product
Manifest
Bundle-Name
org.objectweb.asm
Medium
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Product
Manifest
bundle-symbolicname
org.objectweb.asm
Medium
Product
Manifest
Implementation-Title
ASM, a very small and fast Java bytecode manipulation framework
Static code analysis API of ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-analysis\9.6\9ce6c7b174bd997fc2552dff47964546bd7a5ec3\asm-analysis-9.6.jar MD5: 31c84ef7cc893fb278952ae2d6a2674f SHA1: 9ce6c7b174bd997fc2552dff47964546bd7a5ec3 SHA256:d92832d7c37edc07c60e2559ac6118b31d642e337a6671edcb7ba9fae68edbbb Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath asm-analysis-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Usefull class adapters based on ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-commons\9.6\f1a9e5508eff490744144565c47326c8648be309\asm-commons-9.6.jar MD5: 9e317c75534bd1da8c00a67c618ab288 SHA1: f1a9e5508eff490744144565c47326c8648be309 SHA256:7aefd0d5c0901701c69f7513feda765fb6be33af2ce7aa17c5781fc87657c511 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath asm-commons-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Tree API of ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-tree\9.6\c0cdda9d211e965d2a4448aa3fd86110f2f8c2de\asm-tree-9.6.jar MD5: 6062608f1a98afe1e853d01fa1221a9e SHA1: c0cdda9d211e965d2a4448aa3fd86110f2f8c2de SHA256:c43ecf17b539c777e15da7b5b86553b377e2d39a683de6285567d5283888e7ef Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath asm-tree-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
artifactid
asm-tree
Highest
Vendor
central
groupid
org.ow2.asm
Highest
Vendor
file
name
asm-tree
High
Vendor
gradle
artifactid
asm-tree
Highest
Vendor
gradle
groupid
org.ow2.asm
Highest
Vendor
jar
package name
asm
Highest
Vendor
jar
package name
asm
Low
Vendor
jar
package name
objectweb
Highest
Vendor
jar
package name
objectweb
Low
Vendor
jar
package name
tree
Highest
Vendor
jar
package name
tree
Low
Vendor
Manifest
bundle-docurl
http://asm.ow2.org
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
org.objectweb.asm.tree
Medium
Vendor
Manifest
module-requires
org.objectweb.asm;transitive=true
Low
Vendor
pom
artifactid
asm-tree
Low
Vendor
pom
developer email
ebruneton@free.fr
Low
Vendor
pom
developer email
eu@javatx.org
Low
Vendor
pom
developer email
forax@univ-mlv.fr
Low
Vendor
pom
developer id
ebruneton
Medium
Vendor
pom
developer id
eu
Medium
Vendor
pom
developer id
forax
Medium
Vendor
pom
developer name
Eric Bruneton
Medium
Vendor
pom
developer name
Eugene Kuleshov
Medium
Vendor
pom
developer name
Remi Forax
Medium
Vendor
pom
groupid
org.ow2.asm
Highest
Vendor
pom
name
asm-tree
High
Vendor
pom
organization name
OW2
High
Vendor
pom
organization url
http://www.ow2.org/
Medium
Vendor
pom
parent-artifactid
ow2
Low
Vendor
pom
parent-groupid
org.ow2
Medium
Vendor
pom
url
http://asm.ow2.io/
Highest
Product
central
artifactid
asm-tree
Highest
Product
file
name
asm-tree
High
Product
gradle
artifactid
asm-tree
Highest
Product
jar
package name
asm
Highest
Product
jar
package name
asm
Low
Product
jar
package name
objectweb
Highest
Product
jar
package name
tree
Highest
Product
jar
package name
tree
Low
Product
Manifest
bundle-docurl
http://asm.ow2.org
Low
Product
Manifest
Bundle-Name
org.objectweb.asm.tree
Medium
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Product
Manifest
bundle-symbolicname
org.objectweb.asm.tree
Medium
Product
Manifest
Implementation-Title
Tree API of ASM, a very small and fast Java bytecode manipulation framework
Utilities for ASM, a very small and fast Java bytecode manipulation framework
License:
BSD-3-Clause: https://asm.ow2.io/license.html
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-util\9.6\f77caf84eb93786a749b2baa40865b9613e3eaee\asm-util-9.6.jar MD5: bd3bc1c176a787373e9a031073c9574b SHA1: f77caf84eb93786a749b2baa40865b9613e3eaee SHA256:c635a7402f4aa9bf66b2f4230cea62025a0fe1cd63e8729adefc9b1994fac4c3 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath asm-util-9.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\colt\colt\1.2.0\abc984f3adc760684d49e0f11ddf167ba516d4f\colt-1.2.0.jar MD5: f6be558e44de25df08b9f515b2a7ffee SHA1: 0abc984f3adc760684d49e0f11ddf167ba516d4f SHA256:e1fcbfbdd0d0caedadfb59febace5a62812db3b9425f3a03ef4c4cbba3ed0ee3 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath colt-1.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\commons-codec\commons-codec\1.11\3acb4705652e16236558f0f4f2192cc33c3bd189\commons-codec-1.11.jar MD5: 567159b1ae257a43e1391a8f59d24cfe SHA1: 3acb4705652e16236558f0f4f2192cc33c3bd189 SHA256:e599d5318e97aa48f42136a2927e6dfa4e8881dff0e6c8e3109ddbbff51d7b7d Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath commons-codec-1.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\commons-collections\commons-collections\3.2.2\8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5\commons-collections-3.2.2.jar MD5: f54a8510f834a1a57166970bfc982e94 SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5 SHA256:eeeae917917144a68a741d4c0dff66aa5c5c5fd85593ff217bced3fc8ca783b8 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath commons-collections-3.2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\commons-io\commons-io\2.10.0\79384da84646660c57b89aa86a5a1eb98af50e00\commons-io-2.10.0.jar MD5: fbe67a3601f36dca0f5d0de81d448f7e SHA1: 79384da84646660c57b89aa86a5a1eb98af50e00 SHA256:15093cffda2a0c65783c1d371de55548303cc158df94a66fc6cd15d25c3e2ef8 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath commons-io-2.10.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Uncontrolled Resource Consumption vulnerability in Apache Commons IO.
The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.
This issue affects Apache Commons IO: from 2.0 before 2.14.0.
Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-lang3\3.12.0\c6842c86792ff03b9f1d1fe2aab8dc23aa6c6f0e\commons-lang3-3.12.0.jar MD5: 19fe50567358922bdad277959ea69545 SHA1: c6842c86792ff03b9f1d1fe2aab8dc23aa6c6f0e SHA256:d919d904486c037f8d193412da0c92e22a9fa24230b9d67a57855c5c31c7e94e Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath commons-lang3-3.12.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\commons-logging\commons-logging\1.2\4bfc12adfe4842bf07b657f0369c4cb522955686\commons-logging-1.2.jar MD5: 040b4b4d8eac886f6b4a2a3bd2f31b00 SHA1: 4bfc12adfe4842bf07b657f0369c4cb522955686 SHA256:daddea1ea0be0f56978ab3006b8ac92834afeefbd9b7e4e6316fca57df0fa636 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath commons-logging-1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\commons-net\commons-net\3.8.0\63ea56587c8aaf05adab5cb0397e056bac8a2db0\commons-net-3.8.0.jar MD5: d4b7197bf50afc96e2fa2657a339f037 SHA1: 63ea56587c8aaf05adab5cb0397e056bac8a2db0 SHA256:352b0ba1c657d8930063a9b83878fb717deef2d29ee25d13943be9beccc64d49 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath commons-net-3.8.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.apache.commons\commons-text\1.9\ba6ac8c2807490944a0a27f6f8e68fb5ed2e80e2\commons-text-1.9.jar MD5: c1c130c369aa86bfe4f7a7a920bc0223 SHA1: ba6ac8c2807490944a0a27f6f8e68fb5ed2e80e2 SHA256:0812f284ac5dd0d617461d9a2ab6ac6811137f25122dfffd4788a4871e732d00 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath commons-text-1.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
CWE-94 Improper Control of Generation of Code ('Code Injection')
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.brotli\dec\0.1.2\c26a897ae0d524809eef1c786cc6183b4ddcc3b\dec-0.1.2.jar MD5: 4b1cd14cf29733941cc536b27e6aedfa SHA1: 0c26a897ae0d524809eef1c786cc6183b4ddcc3b SHA256:615c0c3efef990d77831104475fba6a1f7971388691d4bad1471ad84101f6d52 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath dec-0.1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Eclipse Public License - v 2.0: https://www.eclipse.org/legal/epl-2.0/
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jdt\ecj\3.19.0\99ccdf7b2a75afb720270ab888bb21d6159ee631\ecj-3.19.0.jar MD5: 861e6f96eae48fdd1296097e71780786 SHA1: 99ccdf7b2a75afb720270ab888bb21d6159ee631 SHA256:eedc5942f164696b9a8a8bc62a9b29516f82f2c7010946de1c7e6c8db36c63f7 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath ecj-3.19.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\com.google.code.gson\gson\2.6.2\f1bc476cc167b18e66c297df599b2377131a8947\gson-2.6.2.jar MD5: 302e660f8e4928b7417ce145af88cacd SHA1: f1bc476cc167b18e66c297df599b2377131a8947 SHA256:b8545ba775f641f8bba86027f06307152279fee89a46a4006df1bf2f874d4d9d Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath gson-2.6.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.gwtproject\gwt-dev\2.12.1\ecf3c47b0b06165d5bc3bc306340d61b7d118ab6\gwt-dev-2.12.1.jar MD5: b931fa7411be8d905b7efaec2d859d9a SHA1: ecf3c47b0b06165d5bc3bc306340d61b7d118ab6 SHA256:a33d214721e07df9c297bf8b1b536741f532741fa94f46e33cc37e5898a0e10f Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath gwt-dev-2.12.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:gradle/gwt-dev-vulnerabilities@unspecified
A headless browser intended for use in testing web-based applications.
License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\net.sourceforge.htmlunit\htmlunit\2.55.0\19b993df433692899e82b63490a6792181b9ef51\htmlunit-2.55.0.jar MD5: e324c3c79c50ca4f0845fc1788ca35b7 SHA1: 19b993df433692899e82b63490a6792181b9ef51 SHA256:df37f1007a623a5924f2cc9dfab2dbc005fd50540bb06f7a7e40debe6571009d Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath htmlunit-2.55.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
CWE-94 Improper Control of Generation of Code ('Code Injection'), NVD-CWE-noinfo
HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0
CWE-94 Improper Control of Generation of Code ('Code Injection'), NVD-CWE-noinfo
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.
Those using HtmlUnit to browse untrusted webpages may be vulnerable to Denial of service attacks (DoS). If HtmlUnit is running on user supplied web pages, an attacker may supply content that causes HtmlUnit to crash by a stack overflow. This effect may support a denial of service attack.This issue affects htmlunit before 2.70.0.
HtmlUnit adaptation of Mozilla Rhino Javascript engine for Java. Changes are documented by a diff (rhinoDiff.txt) contained in the generated jar files.
License:
Mozilla Public License, Version 2.0: http://www.mozilla.org/MPL/2.0/index.txt
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\net.sourceforge.htmlunit\htmlunit-core-js\2.55.0\edf682911ae555e4ac520207fbcab06dd2427cbb\htmlunit-core-js-2.55.0.jar MD5: 359d538eb4e63e16e86f53547e623288 SHA1: edf682911ae555e4ac520207fbcab06dd2427cbb SHA256:612746615e89fe75ac255a4d4269a437875527949efb58f091a27c8284f8e7a9 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath htmlunit-core-js-2.55.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
CWE-94 Improper Control of Generation of Code ('Code Injection'), NVD-CWE-noinfo
HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0
CWE-94 Improper Control of Generation of Code ('Code Injection'), NVD-CWE-noinfo
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.
Those using HtmlUnit to browse untrusted webpages may be vulnerable to Denial of service attacks (DoS). If HtmlUnit is running on user supplied web pages, an attacker may supply content that causes HtmlUnit to crash by a stack overflow. This effect may support a denial of service attack.This issue affects htmlunit before 2.70.0.
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\net.sourceforge.htmlunit\htmlunit-cssparser\1.10.0\6d601cb81693bdb1d239b162fc2bf52c02a5865c\htmlunit-cssparser-1.10.0.jar MD5: f02b9e8fd9feb8fd062608455785915e SHA1: 6d601cb81693bdb1d239b162fc2bf52c02a5865c SHA256:8a2e0c61d3b50b76b7157e1d2235b99ced68f7af2d907e6bb92089e6f4925ee5 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath htmlunit-cssparser-1.10.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
CWE-94 Improper Control of Generation of Code ('Code Injection'), NVD-CWE-noinfo
HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0
CWE-94 Improper Control of Generation of Code ('Code Injection'), NVD-CWE-noinfo
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
CWE-665 Improper Initialization, CWE-94 Improper Control of Generation of Code ('Code Injection')
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.
Those using HtmlUnit to browse untrusted webpages may be vulnerable to Denial of service attacks (DoS). If HtmlUnit is running on user supplied web pages, an attacker may supply content that causes HtmlUnit to crash by a stack overflow. This effect may support a denial of service attack.This issue affects htmlunit before 2.70.0.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.apache.httpcomponents\httpclient\4.5.13\e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada\httpclient-4.5.13.jar MD5: 40d6b9075fbd28fa10292a45a0db9457 SHA1: e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada SHA256:6fe9026a566c6a5001608cf3fc32196641f6c1e5e1986d1037ccdbd5f31ef743 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath httpclient-4.5.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.apache.httpcomponents\httpcore\4.4.13\853b96d3afbb7bf8cc303fe27ee96836a10c1834\httpcore-4.4.13.jar MD5: e07a248f61c52776a2366c075dcd4963 SHA1: 853b96d3afbb7bf8cc303fe27ee96836a10c1834 SHA256:e06e89d40943245fcfa39ec537cdbfce3762aecde8f9c597780d2b00c2b43424 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath httpcore-4.4.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.apache.httpcomponents\httpmime\4.5.13\efc110bad4a0d45cda7858e6beee1d8a8313da5a\httpmime-4.5.13.jar MD5: 3f0c1ef2c9dc47b62b780192f54b0c18 SHA1: efc110bad4a0d45cda7858e6beee1d8a8313da5a SHA256:06e754d99245b98dcc2860dcb43d20e737d650da2bf2077a105f68accbd5c5cc Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath httpmime-4.5.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\com.ibm.icu\icu4j\63.1\385682b7fff53cd5ac2cad0fdb4658a7b97e9475\icu4j-63.1.jar MD5: e9038e9f7a2ab4d8e1cca5de4ccb8ef5 SHA1: 385682b7fff53cd5ac2cad0fdb4658a7b97e9475 SHA256:0940c61d12667413a58206a010ab5ca0758cc44ad9e9957ea98e0f871ab5eda0 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath icu4j-63.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.
CDDL + GPLv2 with classpath exception: https://github.com/javaee/javax.annotation/blob/master/LICENSE
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\javax.annotation\javax.annotation-api\1.3.2\934c04d3cfef185a8008e7bf34331b79730a9d43\javax.annotation-api-1.3.2.jar MD5: 2ab1973eefffaa2aeec47d50b9e40b9d SHA1: 934c04d3cfef185a8008e7bf34331b79730a9d43 SHA256:e04ba5195bcd555dc95650f7cc614d151e4bcd52d29a10b8aa2197f3ab89ab9b Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath javax.annotation-api-1.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\javax.servlet\javax.servlet-api\3.1.0\3cd63d075497751784b2fa84be59432f4905bf7c\javax.servlet-api-3.1.0.jar MD5: 79de69e9f5ed8c7fcb8342585732bbf7 SHA1: 3cd63d075497751784b2fa84be59432f4905bf7c SHA256:af456b2dd41c4e82cf54f3e743bc678973d9fe35bd4d3071fa05c7e5333b8482 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath javax.servlet-api-3.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-annotations\9.4.44.v20210927\e05deafd17977c1cc19418ac09a7be28909c50ff\jetty-annotations-9.4.44.v20210927.jar MD5: 6028fcd1cf6adddc9d6d6f6c55190e00 SHA1: e05deafd17977c1cc19418ac09a7be28909c50ff SHA256:afcf33e73cc0f1cc723302656e7fffa1b4e641ddd16b847d234348c629b436c8 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-annotations-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-annotations
High
Vendor
gradle
artifactid
jetty-annotations
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
annotations
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.annotations
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.annotations
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-annotations
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Servlet Annotations
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-annotations
High
Product
gradle
artifactid
jetty-annotations
Highest
Product
jar
package name
annotations
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.annotations
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-client\9.4.44.v20210927\d8b2c13ec103d12cdc575dc1bfea155dea59e1e\jetty-client-9.4.44.v20210927.jar MD5: 300760f874c4ef8abb43d30b139eec42 SHA1: 0d8b2c13ec103d12cdc575dc1bfea155dea59e1e SHA256:81c335a33fea19ab71470e2b89295161f98a773fd3dfba1f4c4f9a358608090d Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-client-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-client
High
Vendor
gradle
artifactid
jetty-client
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
client
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
http
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.client
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.client
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-client
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Asynchronous HTTP Client
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-client
High
Product
gradle
artifactid
jetty-client
Highest
Product
jar
package name
client
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
http
Highest
Product
jar
package name
jetty
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.client
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-continuation\9.4.44.v20210927\4ffc681d5b4cbbc340cb58b17d7ac66254ee5e62\jetty-continuation-9.4.44.v20210927.jar MD5: 7a7499eb7ba8158d3199f5bad51b432a SHA1: 4ffc681d5b4cbbc340cb58b17d7ac66254ee5e62 SHA256:cfb01376d77e2872a65ece6a997eff93ebc374e04db5c72a9748dca524b7e0f8 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-continuation-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-continuation
High
Vendor
gradle
artifactid
jetty-continuation
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
continuation
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.continuation
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.continuation
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-continuation
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Continuation
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-continuation
High
Product
gradle
artifactid
jetty-continuation
Highest
Product
jar
package name
continuation
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.continuation
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-http\9.4.44.v20210927\37f0e30cdc02128e40d095ad63cb18e10ecb7726\jetty-http-9.4.44.v20210927.jar MD5: 632ab6ec05d82af095c0df1bbd36a1af SHA1: 37f0e30cdc02128e40d095ad63cb18e10ecb7726 SHA256:0a09fac4c0ea826f920cfe8d5beced61dcd8fec0eae99b88c7619609fa0dc403 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-http-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-http
High
Vendor
gradle
artifactid
jetty-http
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
http
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.http
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-io\9.4.44.v20210927\a2ec01e2b5552b777a3d7085163f80756ef8c1ce\jetty-io-9.4.44.v20210927.jar MD5: d508ec41df25082316d21abe268ea768 SHA1: a2ec01e2b5552b777a3d7085163f80756ef8c1ce SHA256:3c6f1105500921aa4f9687c3a1b5fd9eba4661a5f438aa089829c2ecc9726745 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-io-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-io
High
Vendor
gradle
artifactid
jetty-io
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
io
Highest
Vendor
jar
package name
jetty
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.io
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.io
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-io
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: IO Utility
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-io
High
Product
gradle
artifactid
jetty-io
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
io
Highest
Product
jar
package name
jetty
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.io
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-jndi\9.4.44.v20210927\8f4f459e38c78b5f6b021e4578acd7f6662f6553\jetty-jndi-9.4.44.v20210927.jar MD5: 95729700bbb649fca768289e537a65e6 SHA1: 8f4f459e38c78b5f6b021e4578acd7f6662f6553 SHA256:2df993093d77037d7fb44b0f87cbe155740f8d2938fbb5f2826e0c2ea4a25c2e Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-jndi-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-jndi
High
Vendor
gradle
artifactid
jetty-jndi
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
java
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
jndi
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.jndi
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.jndi
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-jndi
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: JNDI Naming
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-jndi
High
Product
gradle
artifactid
jetty-jndi
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
java
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
jndi
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.jndi
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-plus\9.4.44.v20210927\7ce435886161c4f1a9015168712e6df974eb016f\jetty-plus-9.4.44.v20210927.jar MD5: 545cd0b00bfab9659782942a8a05b50d SHA1: 7ce435886161c4f1a9015168712e6df974eb016f SHA256:f751e1a60f47411caa100edecfe4c226a88d9a4e66731979442c6491abfb7d16 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-plus-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-plus
High
Vendor
gradle
artifactid
jetty-plus
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
plus
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.plus
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.plus
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-plus
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Plus
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-plus
High
Product
gradle
artifactid
jetty-plus
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
plus
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.plus
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.toolchain\jetty-schemas\3.1.2\e4fb7fb14038a35ac135a784180f8a51a518eab1\jetty-schemas-3.1.2.jar MD5: 287afdc303a48e93c09937a9a2dd0def SHA1: e4fb7fb14038a35ac135a784180f8a51a518eab1 SHA256:40e2ae14ab6329e8eb6e6e6ba72e3b7091c69e3d28ac5d60ac5a93eadb81c60a Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-schemas-3.1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-security\9.4.44.v20210927\ecb80b8e008daa46e95e5691b2611d4007922497\jetty-security-9.4.44.v20210927.jar MD5: 8a1a277265ecd525eb049f28074085a3 SHA1: ecb80b8e008daa46e95e5691b2611d4007922497 SHA256:d7545a58dc0107035757da6538b70d2bbbc02d78e5f382ca670d258ce822a9f7 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-security-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-security
High
Vendor
gradle
artifactid
jetty-security
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
security
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.security
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.security
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-security
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Security
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-security
High
Product
gradle
artifactid
jetty-security
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
security
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.security
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-server\9.4.44.v20210927\bf2de0d31925a8ca71ad80f721236850b636e0d\jetty-server-9.4.44.v20210927.jar MD5: aef1d939f1750ce2512ce8f7619cf997 SHA1: 0bf2de0d31925a8ca71ad80f721236850b636e0d SHA256:d4f51fb02454b1c79489418f080d3409c557abca181f083881977b7a729a8f86 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-server-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-server
High
Vendor
gradle
artifactid
jetty-server
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
server
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.server
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.server
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-server
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Server Core
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-server
High
Product
gradle
artifactid
jetty-server
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
server
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.server
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlet\9.4.44.v20210927\1cb43a0d74b7395c7207dbf3dc2ca97eac89f5fd\jetty-servlet-9.4.44.v20210927.jar MD5: 0bee43f80fe155ce9f2839f031feaf67 SHA1: 1cb43a0d74b7395c7207dbf3dc2ca97eac89f5fd SHA256:eb85f2cfa2cb2b809ccea0c92e33fb68542f5c0286575b48dac895daba7bd0ee Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-servlet-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-servlet
High
Vendor
gradle
artifactid
jetty-servlet
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
servlet
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.servlet
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.servlet
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-servlet
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Servlet Handling
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-servlet
High
Product
gradle
artifactid
jetty-servlet
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
servlet
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.servlet
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlets\9.4.44.v20210927\d22ec443ac9b983a8771a44ed258b47dc70108b6\jetty-servlets-9.4.44.v20210927.jar MD5: fc18884cf5ec835b10deba9d18facb20 SHA1: d22ec443ac9b983a8771a44ed258b47dc70108b6 SHA256:9f70d4dc470bc2581ad182de4411ce774cd4865ca643eafc044e867f49502b43 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-servlets-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-servlets
High
Vendor
gradle
artifactid
jetty-servlets
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
servlets
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.servlets
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.servlets
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-servlets
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Utility Servlets and Filters
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-servlets
High
Product
gradle
artifactid
jetty-servlets
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
servlets
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.servlets
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-9823 for details
Jetty PushSessionCacheFilter can be exploited by unauthenticated users
to launch remote DoS attacks by exhausting the server’s memory.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-6762 for details
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-util\9.4.44.v20210927\3c7151c5a04a93119988b48a1577a972d90f8990\jetty-util-9.4.44.v20210927.jar MD5: 73b579e6f53afefaadeac30915de8875 SHA1: 3c7151c5a04a93119988b48a1577a972d90f8990 SHA256:539179024520b614f62d5d83f25bea111f7b991c399e5f737fa6aa2750489079 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-util-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-util
High
Vendor
gradle
artifactid
jetty-util
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
util
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.util
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.util
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-util
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Utilities
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-util
High
Product
gradle
artifactid
jetty-util
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
util
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.util
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-util-ajax\9.4.44.v20210927\ed2f30e8eef939ab2825e607d83f82f85167e2c0\jetty-util-ajax-9.4.44.v20210927.jar MD5: 2229353304338936514b0a349bcbbfb0 SHA1: ed2f30e8eef939ab2825e607d83f82f85167e2c0 SHA256:15aee9ad62b6af6d3f90ee37c4d190003305b4b92d9b2646fcd4e9df46c9225f Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-util-ajax-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-util-ajax
High
Vendor
gradle
artifactid
jetty-util-ajax
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
ajax
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
util
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.util.ajax
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.util.ajax
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-util-ajax
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Utilities :: Ajax(JSON)
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-util-ajax
High
Product
gradle
artifactid
jetty-util-ajax
Highest
Product
jar
package name
ajax
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
util
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.util.ajax
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-webapp\9.4.44.v20210927\60c0ff88088b2eddb2a8e40d6cc4d4e963b72d6e\jetty-webapp-9.4.44.v20210927.jar MD5: e7cbd268b0e56edf5f4351b0569b84ea SHA1: 60c0ff88088b2eddb2a8e40d6cc4d4e963b72d6e SHA256:b447a5dd9957f2cd414041aea46d2812bd39acc175d6d396941f8e1ce2995e96 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-webapp-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-webapp
High
Vendor
gradle
artifactid
jetty-webapp
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
webapp
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.webapp
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.webapp
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-webapp
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: Webapp Application Support
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-webapp
High
Product
gradle
artifactid
jetty-webapp
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
webapp
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.webapp
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-xml\9.4.44.v20210927\da53a0fa775752cd4626539796bdb49e9b4cf23c\jetty-xml-9.4.44.v20210927.jar MD5: f4b04def913d930cfd17970b7b82bd92 SHA1: da53a0fa775752cd4626539796bdb49e9b4cf23c SHA256:5d8a77311c87015006547d23bd06e36b02212c48ca26c2b0b30b8d2ca3c6e6c3 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jetty-xml-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jetty-xml
High
Vendor
gradle
artifactid
jetty-xml
Highest
Vendor
gradle
groupid
org.eclipse.jetty
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
xml
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.xml
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.xml
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
jetty-xml
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
pom
name
Jetty :: XML utilities
High
Vendor
pom
parent-artifactid
jetty-project
Low
Product
file
name
jetty-xml
High
Product
gradle
artifactid
jetty-xml
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
xml
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.xml
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\com.google.code.findbugs\jsr305\1.3.9\40719ea6961c0cb6afaeb6a921eaa1f6afd4cfdf\jsr305-1.3.9.jar MD5: 1d5a772e400b04bb67a7ef4a0e0996d8 SHA1: 40719ea6961c0cb6afaeb6a921eaa1f6afd4cfdf SHA256:905721a0eea90a81534abb7ee6ef4ea2e5e645fa1def0a5cd88402df1b46c9ed Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath jsr305-1.3.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
HtmlUnit adaptation of NekoHtml.
It has the same functionality but exposing HTMLElements to be overridden.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\net.sourceforge.htmlunit\neko-htmlunit\2.55.0\357606d1648fe63f8bf159d357f54dfbf8611b08\neko-htmlunit-2.55.0.jar MD5: 13b98d3a1b6e7b2c0fa73ddd64d9e7dd SHA1: 357606d1648fe63f8bf159d357f54dfbf8611b08 SHA256:8d8d81d5092c586ed6c6f90342b67d8c1f3f615fd7ebed977f03c9506754f752 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath neko-htmlunit-2.55.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
CWE-94 Improper Control of Generation of Code ('Code Injection'), NVD-CWE-noinfo
HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0
CWE-94 Improper Control of Generation of Code ('Code Injection'), NVD-CWE-noinfo
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-28366 for details
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.
Those using HtmlUnit to browse untrusted webpages may be vulnerable to Denial of service attacks (DoS). If HtmlUnit is running on user supplied web pages, an attacker may supply content that causes HtmlUnit to crash by a stack overflow. This effect may support a denial of service attack.This issue affects htmlunit before 2.70.0.
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Parse Content Security Policy headers, warn about policy errors, safely manipulate, render, and optimise policies
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\com.shapesecurity\salvation2\3.0.0\15f4d7969936bfd6d554227f11f5ae2c71e176b\salvation2-3.0.0.jar MD5: 47c0980cef52801fefdd835107365837 SHA1: 015f4d7969936bfd6d554227f11f5ae2c71e176b SHA256:1375d45e36ff94643779bdd2f158f49cb137d2de8a4aa8080c7a602d95db7cee Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath salvation2-3.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Serializer to write out XML, HTML etc. as a stream of characters from an input DOM or from input
SAX events.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\xalan\serializer\2.7.2\24247f3bb052ee068971393bdb83e04512bb1c3c\serializer-2.7.2.jar MD5: e8325763fd4235f174ab7b72ed815db1 SHA1: 24247f3bb052ee068971393bdb83e04512bb1c3c SHA256:e8f5b4340d3b12a0cfa44ac2db4be4e0639e479ae847df04c4ed8b521734bb4a Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath serializer-2.7.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
artifactid
serializer
Highest
Vendor
central
groupid
xalan
Highest
Vendor
file
name
serializer
High
Vendor
gradle
artifactid
serializer
Highest
Vendor
gradle
groupid
xalan
Highest
Vendor
jar
package name
apache
Highest
Vendor
jar
package name
apache
Low
Vendor
jar
package name
serializer
Low
Vendor
jar
package name
xml
Low
Vendor
manifest: org/apache/xml/serializer/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: org/apache/xml/serializer/utils/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
artifactid
serializer
Low
Vendor
pom
groupid
xalan
Highest
Vendor
pom
name
Xalan Java Serializer
High
Vendor
pom
parent-artifactid
apache
Low
Vendor
pom
parent-groupid
org.apache
Medium
Vendor
pom
url
http://xml.apache.org/xalan-j/
Highest
Product
central
artifactid
serializer
Highest
Product
file
name
serializer
High
Product
gradle
artifactid
serializer
Highest
Product
jar
package name
apache
Highest
Product
jar
package name
serializer
Highest
Product
jar
package name
serializer
Low
Product
jar
package name
utils
Highest
Product
jar
package name
xml
Highest
Product
jar
package name
xml
Low
Product
manifest: org/apache/xml/serializer/
Implementation-Title
org.apache.xml.serializer
Medium
Product
manifest: org/apache/xml/serializer/
Specification-Title
XSL Transformations (XSLT), at http://www.w3.org/TR/xslt
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
CWE-681 Incorrect Conversion between Numeric Types
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\tapestry\tapestry\4.0.2\e855a807425d522e958cbce8697f21e9d679b1f7\tapestry-4.0.2.jar MD5: f5c2ca73084c006ed6b181d89d91b4d0 SHA1: e855a807425d522e958cbce8697f21e9d679b1f7 SHA256:16dfc5b6b322bb0734b80e89d77fbeb987c809002fe59d52d9707a035949b107 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath tapestry-4.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.
Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows remote attackers to cause a denial of service (resource consumption) or execute arbitrary code via crafted serialized data.
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class. Apache Tapestry 5.8.2 has a fix for this vulnerability. Notice the vulnerability cannot be triggered by web requests in Tapestry code alone. It would only happen if there's some non-Tapestry codepath passing some outside input to the ContentType class constructor.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-api\9.4.44.v20210927\afc5642bba238f43fec8b0841e20035786a2f13f\websocket-api-9.4.44.v20210927.jar MD5: 6ecbfee7179164ef4e8e0a35060ae70b SHA1: afc5642bba238f43fec8b0841e20035786a2f13f SHA256:6e580933546864bd3294ffa5af13bfc9aed7de690b62a183fef58203afda4368 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath websocket-api-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
websocket-api
High
Vendor
gradle
artifactid
websocket-api
Highest
Vendor
gradle
groupid
org.eclipse.jetty.websocket
Highest
Vendor
jar
package name
api
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
websocket
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.websocket.api
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.websocket.api
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
websocket-api
Low
Vendor
pom
groupid
org.eclipse.jetty.websocket
Highest
Vendor
pom
name
Jetty :: Websocket :: API
High
Vendor
pom
parent-artifactid
websocket-parent
Low
Product
file
name
websocket-api
High
Product
gradle
artifactid
websocket-api
Highest
Product
jar
package name
api
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
websocket
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.websocket.api
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-client\9.4.44.v20210927\77fe11eb5d7dacc10fd5644983877e8973d4e26d\websocket-client-9.4.44.v20210927.jar MD5: f31459fa428c86830aa7bf57768d848c SHA1: 77fe11eb5d7dacc10fd5644983877e8973d4e26d SHA256:46f531b1b46da48ace1b8c3cc0a9c080762b8bcc0b9ce411364b8552e4ea0e75 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath websocket-client-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
websocket-client
High
Vendor
gradle
artifactid
websocket-client
Highest
Vendor
gradle
groupid
org.eclipse.jetty.websocket
Highest
Vendor
jar
package name
client
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
websocket
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.websocket.client
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
Low
Vendor
Manifest
bundle-docurl
https://eclipse.org/jetty
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.8
Low
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.websocket.client
Medium
Vendor
Manifest
Implementation-Vendor
Eclipse Jetty Project
High
Vendor
Manifest
originally-created-by
Apache Maven Bundle Plugin
Low
Vendor
Manifest
url
https://eclipse.org/jetty
Low
Vendor
pom
artifactid
websocket-client
Low
Vendor
pom
groupid
org.eclipse.jetty.websocket
Highest
Vendor
pom
name
Jetty :: Websocket :: Client
High
Vendor
pom
parent-artifactid
websocket-parent
Low
Product
file
name
websocket-client
High
Product
gradle
artifactid
websocket-client
Highest
Product
jar
package name
client
Highest
Product
jar
package name
eclipse
Highest
Product
jar
package name
jetty
Highest
Product
jar
package name
websocket
Highest
Product
Manifest
automatic-module-name
org.eclipse.jetty.websocket.client
Medium
Product
Manifest
build-jdk-spec
11
Low
Product
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\org.eclipse.jetty.websocket\websocket-common\9.4.44.v20210927\ba1b2d2096f0bab85dda350d19e176cc3d049009\websocket-common-9.4.44.v20210927.jar MD5: 213a3a2ac738ec2f05665957c332edae SHA1: ba1b2d2096f0bab85dda350d19e176cc3d049009 SHA256:5bbd4799cc2366f40055734ea9312bde7f2a31ec5cae56e65f6df469f0be9852 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath websocket-common-9.4.44.v20210927.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
websocket-common
High
Vendor
gradle
artifactid
websocket-common
Highest
Vendor
gradle
groupid
org.eclipse.jetty.websocket
Highest
Vendor
jar
package name
common
Highest
Vendor
jar
package name
eclipse
Highest
Vendor
jar
package name
jetty
Highest
Vendor
jar
package name
websocket
Highest
Vendor
Manifest
automatic-module-name
org.eclipse.jetty.websocket.common
Medium
Vendor
Manifest
build-jdk-spec
11
Low
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2021 Mort Bay Consulting Pty Ltd and others.
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.
CWE-664 Improper Control of a Resource Through its Lifetime, NVD-CWE-Other, CWE-410 Insufficient Resource Pool
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
CWE-400 Uncontrolled Resource Consumption, CWE-190 Integer Overflow or Wraparound
Description: HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Due Date: 2023-10-31
Notes: This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
CWE-400 Uncontrolled Resource Consumption, CWE-770 Allocation of Resources Without Limits or Throttling
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
NVD-CWE-noinfo, CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CWE-130 Improper Handling of Length Parameter Inconsistency, NVD-CWE-noinfo
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.
The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI
differs from the common browsers in how it handles a URI that would be
considered invalid if fully validated against the RRC. Specifically HttpURI
and the browser may differ on the value of the host extracted from an
invalid URI and thus a combination of Jetty and a vulnerable browser may
be vulnerable to a open redirect attack or to a SSRF attack if the URI
is used after passing validation checks.
CWE-1286 Improper Validation of Syntactic Correctness of Input, NVD-CWE-Other
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
Xalan-Java is an XSLT processor for transforming XML documents into HTML,
text, or other XML document types. It implements XSL Transformations (XSLT)
Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
the command line, in an applet or a servlet, or as a module in other program.
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\xalan\xalan\2.7.2\d55d3f02a56ec4c25695fe67e1334ff8c2ecea23\xalan-2.7.2.jar MD5: 6aa6607802502c8016b676f25f8e4873 SHA1: d55d3f02a56ec4c25695fe67e1334ff8c2ecea23 SHA256:a44bd80e82cb0f4cfac0dac8575746223802514e3cec9dc75235bc0de646af14 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath xalan-2.7.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
CWE-681 Incorrect Conversion between Numeric Types
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family.
This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building
parser components and configurations that is extremely modular and easy to program. The Apache Xerces2 parser is
the reference implementation of XNI but other parser components, configurations, and parsers can be written
using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema
1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema
Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for
evaluation. For more information, refer to the XML Schema page. Xerces2 also provides a complete implementation
of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete
implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML
Catalogs v1.1. Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that
it does not yet provide an option to enable normalization checking as described in section 2.13 of this
specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly
serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\xerces\xercesImpl\2.12.1\3a206b25679f598a03374afd4e0410d8849b088b\xercesImpl-2.12.1.jar MD5: 9f82c362c893779109c1de812c5d4deb SHA1: 3a206b25679f598a03374afd4e0410d8849b088b SHA256:ae0c329a3187178c8e7b0369a5346845e426062ffbb8a08fc68ced6affe6c626 Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath xercesImpl-2.12.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)
The software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.
xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
The SAX License: http://www.saxproject.org/copying.html
The W3C License: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/java-binding.zip
File Path: C:\Users\mikko\.gradle\caches\modules-2\files-2.1\xml-apis\xml-apis\1.4.01\3789d9fada2d3d458c4ba2de349d48780f381ee3\xml-apis-1.4.01.jar MD5: 7eaad6fea5925cca6c36ee8b3e02ac9d SHA1: 3789d9fada2d3d458c4ba2de349d48780f381ee3 SHA256:a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad Referenced In Project/Scope: gwt-dev-vulnerabilities:runtimeClasspath xml-apis-1.4.01.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.gwtproject/gwt-dev@2.12.1